Privacy Policy

BrAIn ("Company," "we," "us," or "our") is committed to protecting the privacy and security of the information entrusted to us by the enterprises and individuals who use our platform. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding it.

This Policy applies to the BrAIn platform, including the Cortex Configuration Platform, the AI engine, and all related services (collectively, the "Service").

By using the Service, you agree to the practices described in this Privacy Policy.

2.1 Account and Identity Information

When your Organization is onboarded and Users are invited, we collect:

• Name and email address (obtained from your OAuth provider — Google or Microsoft)
• Organization name and subdomain
• Role assignments (USER, ADMIN, SYSADMIN)

We do not collect or store passwords. Authentication is handled exclusively via OAuth.

2.2 User Profile Data

Users may optionally complete a profile to enable personalized Agent responses. This profile may include:

• Professional background, role, and industry
• Communication preferences (tone, formality, verbosity)
• Goals, interests, and values
• Custom key-value fields defined by the User

Profile data is stored within your Organization's dedicated tenant database and is never shared across Organizations.

2.3 Agent Configuration Data

ADMIN users configure Agents through a guided form covering identity, personality, guardrails, knowledge context, and target audience. This configuration data is stored in your Organization's tenant database and used solely to generate and refine Agent behavior for your Organization.

2.4 Knowledge Base Content

Organizations may upload documents to the Knowledge Base. Uploaded files are:

• Extracted and processed by Apache Tika
• Chunked, embedded, and indexed in a Milvus vector database
• Scoped exclusively to the uploading Organization's tenant

We do not use Knowledge Base content from one Organization to train or improve AI responses for any other Organization.

2.5 Chat and Interaction Data

When Users interact with Agents via the chat interface, the content of those interactions is processed to generate responses. In the current MVP phase, conversation logs are not persistently stored by default. This feature is planned for a future release and will include appropriate privacy controls when introduced.

2.6 Usage and Technical Data

We automatically collect certain technical information to operate and improve the Service, including:

• IP addresses and browser/device type
• Pages visited and features used within the Platform
• API request logs and error reports
• Service performance metrics

This data is used for operational purposes and is not sold or shared with third-party advertisers.

We use the information we collect to:

• Provision and manage your Organization's tenant environment
• Authenticate Users and enforce role-based access control
• Operate, maintain, and improve the Platform
• Enable AI Agents to generate contextual, personalized responses using your Organization's Knowledge Base and User profile data
• Provide white-glove support and onboarding services
• Send service-related communications (e.g., account invitations, system notifications)
• Monitor for security threats, fraud, and abuse
• Comply with legal obligations

We do not use your Organization's Content or User data to train general-purpose AI models for use outside your Organization.

BrAIn operates a strict multi-tenant architecture designed for enterprise data isolation:

• Each Organization receives a dedicated database — data is never co-mingled with other Organizations at the database layer.
• Tenant routing is derived from a subdomain prefix, enforced at the API gateway level before any data access occurs.
• The master database contains only routing metadata (Organization names, subdomains) — no business or user data.
• Knowledge Base embeddings in Milvus are stored in per-Organization collections.

This architecture ensures that a security breach or misconfiguration affecting one tenant cannot expose data belonging to another.

We do not sell your personal information or Organization data. We may share information in the following limited circumstances:

5.1 Service Providers

We engage third-party service providers to help operate the Platform (e.g., cloud infrastructure, email delivery, LLM inference via Ollama or compatible providers). These providers are bound by confidentiality obligations and may only process data as directed by BrAIn.

5.2 AI Model Providers

When Agents process queries, requests may be forwarded to configured LLM providers (including OpenAI, Anthropic, or locally-hosted models via Ollama). The specific provider used for your Organization is configured by the BrAIn SYSADMIN team. We do not send identifying information about your Users to LLM providers beyond what is necessary to generate a response.

5.3 Legal Requirements

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of BrAIn, our customers, or others.

5.4 Business Transfers

If BrAIn undergoes a merger, acquisition, or sale of assets, customer data may be transferred as part of that transaction. We will notify affected Organizations in advance and ensure the receiving entity is bound by equivalent privacy commitments.

We retain your information for as long as your Organization has an active relationship with BrAIn, plus a reasonable period thereafter to fulfill legal or contractual obligations.

Upon termination of your Organization's account:

• A data export window will be made available to ADMIN users.
• Following the export window, Organization data (including Knowledge Base content, agent configurations, and user profiles) will be permanently deleted from production systems.
• Backup copies are deleted on a rolling schedule as part of standard backup rotation.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate or incomplete data.
• Deletion — Request deletion of your personal data, subject to legal retention requirements.
• Portability — Request a machine-readable export of your data.
• Objection — Object to certain processing activities.
• Restriction — Request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, contact us at contact@solidailabs.com. We will respond within the timeframe required by applicable law (typically 30 days).

Individual Users wishing to update their profile data may do so directly through the User Profile section of the Platform.

The Platform uses cookies and similar technologies to:

• Maintain authenticated sessions (JWT stored in secure, HTTP-only cookies)
• Protect against CSRF attacks (double-submit cookie pattern)
• Collect aggregate analytics on Platform usage

We do not use third-party advertising cookies or cross-site tracking technologies.

The Service is intended for enterprise use only and is not directed at children under the age of 16. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, contact us at contact@solidailabs.com and we will delete it promptly.

If your Organization is located outside the country where BrAIn's servers are hosted, your data may be transferred to and processed in a different country. We implement appropriate safeguards (such as standard contractual clauses) to ensure that such transfers comply with applicable privacy law.

We may update this Privacy Policy from time to time. We will notify ADMIN users of material changes via the Platform or email before changes take effect. The "Last Updated" date at the top of this Policy reflects the most recent revision.